Skip to content

[FEATURE] Configurable Implant Related C# Assembly Names #169

New issue
New issue
Open
Open
[FEATURE] Configurable Implant Related C# Assembly Names#169
Assignees
riskydissonance
Labels
enhancementNew feature or request
@polarlotus

Description

@polarlotus
polarlotus
opened on Sep 2, 2020

Is your feature request related to a problem? Please describe.

No

##A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

First off, I love the project..

The default assembly names for the initial loader aka "dropper_cs" requires external customisation to modify. This dropper_cs assembly name is also present in the full implant which includes AMSI and ETW bypass in the bootstrap.
When serious blue teams are doing IR this becomes a OPSEC concern.

ETW is blocking a good job blocking the assembly names "for now" however deeper offline forensics will eventually reveal the glaring standout default assembly names.

Describe the solution you'd like

Add assembly name ##REPLACEME## functionality as with the other variables in config.yaml

Describe alternatives you've considered

Modifying binaries in dnSPy, recompiling core source and decompiling implants in IDA.

Additional context

NA

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions